PDA

View Full Version : ctfmon.exe



Reb00t
2007-04-24, 07:38
I was looking through startup applications and one of them was ctfmon.exe because i'm an XP user and i never uninstalled it or anything like that. However, the Spybot S&D information bar on the side told me that ctfmon.exe was a virus or some other sort of hazardous entry. I was just letting you know that S&D thinks it's a hijacking program when it's really just a Windows process.

spybotsandra
2007-04-24, 12:27
Hello,

Ctfmon.exe is part of Microsoft Office XP. It monitors the active windows and provides text input service support for speech recognition,
handwriting recognition, keyboard, translation, and other alternative user input technologies. It should be located here:

* C:\Windows\System32

If not it can be virus, spyware, trojan or worm! Examples:
PWSteal.Raidys
http://securityresponse.symantec.com...al.raidys.html
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.raidys.html
Trojan.Satiloler
http://securityresponse.symantec.com...satiloler.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.satiloler.html
Spyware.FamilyKeylog
http://securityresponse.symantec.com...ilykeylog.html
http://securityresponse.symantec.com/avcenter/venc/data/spyware.familykeylog.html
Further you can see it on the filesize. The legal version is something like 10 to 15 KB.

Best regards
Sandra
Team Spybot

ls-21
2007-08-12, 23:05
I found the same thing and was curious as it did not show on a scan. If its the MS version here is the link for the steps needed to disable it:

http://support.microsoft.com/kb/282599

For some reason Spybot thought mine was the spyware version.

md usa spybot fan
2007-08-13, 00:55
I found the same thing and was curious as it did not show on a scan. …

For some reason Spybot thought mine was the spyware version.
If you are in Spybot-S&D > Tools > System Startup and looking at the comments about a startup entry with a name of "ctfmon.exe", are these the comments you are referring to?


Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon32.exe

Description
_CoolWebSearch_ parasite related - hijacking to Slawsearch.com

Source: Paul Collins Startup list

If so, they are just that, comments about possibilities for a startup entry with a name of "ctfmon.exe". They are comments, not detections picked up during a scan ("Check for problems").

In other words Spybot didn't think anything, it is just presenting comments about possibilities for a startup entry by the name of "ctfmon.exe" and in this case those comments are from "Paul Collins Startup list".